v1.0

nmap

By
Brian Johnson

It's fun to scan networks with nmap! Check out ths BHIS cheat sheet on this topic.

Do a ping sweep to find live hosts:

nmap -sn -iL subs.txt -oG pingsweep.gnmap -vvv

Then extract ONLY live hosts and sort them with:

grep "Up" pingsweep.gnmap | awk '{print $2}' > livehosts.txt
sort -V livehosts.txt -o livehosts.txt

Find domain controllers and save to a text file

(See our page on nslookup)

Grab version of VMWare instances

nmap -Pn -p443 some.cool.ip.address --script vmware-version

Check if LDAPs is config'd on the domain controllers

nmap -Pn -sV -p636 -iL dcs.txt > ldaps.txt

Scan for UDP 623 (IPMI/ILO)

sudo nmap -sU -p623 --open -iL subnets.txt -oA ipmi -vvv

Find just the hosts with port 623 open

# Extract IPs from lines containing "Status: Up" and save to open.txt
grep "Status: Up" ipmi.gnmap | awk '{print $2}' > open.txt

# Sort the IPs and save the sorted list back to open.txt
sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 open.txt -o open.txt

Then you can potentially use metasploit to grab IPMI hashes and then hashcat to crack them.

Check if SNMP is open

sudo nmap -sU -p161 --script=snmp-info 1.2.3.4

SNMP enumeration cheat sheet

Claude built this while we were troubleshooting some SNMP stuff on an external pentest:

═══════════════════════════════════════════════════════════════════════════════
  SNMP ENUMERATION CHEAT SHEET — nmap + supporting tools
═══════════════════════════════════════════════════════════════════════════════

──── 1. CONFIRM THE PORT IS ACTUALLY OPEN ─────────────────────────────────────

  sudo nmap -sU -p161 -sV --reason <target>

  Look for "udp-response ttl X" in --reason output. That = real response.
  "no-response" = nmap is guessing; the port may not actually be answering.


──── 2. FINGERPRINT THE DEVICE & VERSION ──────────────────────────────────────

  # All-in-one: vendor, engine ID, uptime, boot count
  sudo nmap -sU -p161 --script snmp-info <target>

  # snmp-sysdescr adds the system description string when v1/v2c is reachable
  sudo nmap -sU -p161 --script "snmp-info,snmp-sysdescr" <target>

  Key fields in output:
    enterprise:        Vendor name (ciscoSystems, microsoft, etc.)
    engineIDFormat:    How the engine ID was generated (mac, ipv4, text, etc.)
    engineIDData:      The actual identifier (MAC = lookup OUI for hardware)
    snmpEngineBoots:   How many times device has booted
    snmpEngineTime:    Uptime since last boot (huge values = unpatched device)


──── 3. DETERMINE WHICH SNMP VERSIONS ARE ENABLED ─────────────────────────────

  # v1 probe
  snmpget -v1 -c public -t 2 -r 1 <target> 1.3.6.1.2.1.1.1.0

  # v2c probe
  snmpget -v2c -c public -t 2 -r 1 <target> 1.3.6.1.2.1.1.1.0

  # v3 probe (no creds — discovery phase only)
  snmpget -v3 -l noAuthNoPriv -u probeuser -t 2 -r 1 <target> 1.3.6.1.2.1.1.1.0

  Reading results:
    "sysDescr.0 = STRING:..."  → version supported, community string valid
    "Unknown user name"        → v3 enabled, your user doesn't exist (CONFIRMS v3)
    Error response             → version supported, creds wrong
    Timeout                    → version not enabled OR ACL filtering OR UDP loss

  Flags: -t 2 = 2 sec timeout, -r 1 = 1 retry (default 5/5 is painful)


──── 4. INTERPRET THE ENGINE ID (VENDOR FINGERPRINT) ──────────────────────────

  First 4 bytes of engineIDData = SMI enterprise number. Common ones:
    00000009 = Cisco
    0000000b = HP
    0000001f = Cabletron
    0000005b = Sun
    00000311 = Microsoft
    000001f7 = Juniper/NetScreen

  If engineIDFormat is "mac", look up the OUI separately — it's a real MAC and
  the OUI tells you what NIC/board is in the device, which sometimes differs
  from the SNMP-reported vendor.


──── 5. BRUTE-FORCE COMMUNITY STRINGS (v1/v2c) ────────────────────────────────

  # Quick test with bundled wordlist
  onesixtyone <target>

  # Real wordlist
  onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <target>

  # Slow it down if you suspect packet loss (UDP — drops are common)
  onesixtyone -w 100 -c <wordlist> <target>

  # Nmap alternative
  sudo nmap -sU -p161 --script snmp-brute <target>
  sudo nmap -sU -p161 --script snmp-brute --script-args \
    snmp-brute.communitiesdb=/usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <target>


──── 6. ENUMERATION ONCE YOU HAVE A COMMUNITY STRING ──────────────────────────

  # Comprehensive overview
  snmp-check -c <community> -v 2c <target>

  # Full walk (lots of traffic — consider targeting specific OIDs instead)
  snmpwalk -v2c -c <community> <target>

  # Nmap NSE — runs all snmp-* scripts
  sudo nmap -sU -p161 --script "snmp-*" <target>

  Useful targeted OIDs:
    1.3.6.1.2.1.1                System group: sysDescr/Name/Location/Contact
    1.3.6.1.2.1.4.22.1.2         ARP table
    1.3.6.1.2.1.4.21.1           Routing table
    1.3.6.1.2.1.2.2.1            Interface table

  Windows-specific (if sysDescr says Windows):
    1.3.6.1.4.1.77.1.2.25        Local users
    1.3.6.1.2.1.25.4.2.1.2       Running processes
    1.3.6.1.2.1.25.6.3.1.2       Installed software
    1.3.6.1.2.1.6.13.1.3         Listening TCP ports

  Cisco-specific:
    1.3.6.1.4.1.9                Cisco proprietary tree (config-related goodies)


──── 7. v3 USERNAME ENUMERATION (NO CREDS NEEDED) ─────────────────────────────

  # Some agents leak usernames via usmStats counters
  snmpwalk -v3 -l noAuthNoPriv -u probeuser <target> 1.3.6.1.6.3.15.1.1


──── 8. COMMON FINDINGS / RED FLAGS ───────────────────────────────────────────

  Default community strings:
    public, private, cisco, manager, ILMI, tac, secret, enable

  Findings to watch for:
    • Default/weak community strings                           [Med-High]
    • SNMP exposed to public internet (any version)            [Med]
    • snmpEngineTime indicating multi-year uptime              [High]
      (no patches applied → research vendor CVEs by version)
    • CVE-2017-6736 (Cisco IOS/IOS-XE pre-auth SNMP RCE)       [Critical]
    • Mixed v1/v2c + v3 enabled (legacy versions co-enabled)   [Low]
    • Read-write community string (classically "private")      [Critical]
      → Cisco: copy running-config tftp: via SNMP


──── 9. v3 SECURITY LEVELS (REFERENCE) ────────────────────────────────────────

    -l noAuthNoPriv   No auth, no encryption (just username)
    -l authNoPriv     HMAC auth, no encryption
    -l authPriv       HMAC auth + AES encryption  ← the only secure config

    Auth algorithms:  MD5, SHA, SHA-224, SHA-256, SHA-384, SHA-512
    Priv algorithms:  DES, 3DES, AES, AES-192, AES-256

    Full v3 query example:
    snmpget -v3 -l authPriv \
      -u monitoring \
      -a SHA-256 -A "AuthPass" \
      -x AES256 -X "PrivPass" \
      <target> 1.3.6.1.2.1.1.1.0


──── 10. WIRESHARK FILTERS ────────────────────────────────────────────────────

  snmp                          all SNMP traffic
  snmp.version == 0             v1
  snmp.version == 1             v2c
  snmp.version == 3             v3
  snmp.community == "public"    specific community string visible

═══════════════════════════════════════════════════════════════════════════════

Check for NTP (time) service

sudo nmap -sU -p123 --script=ntp-info 1.2.3.4